Zero-day flaw in Atlassian Confluence exploited in the wild since May

Software firm Atlassian released emergency patches for its popular Confluence Server and Data Center products after reports came to light late last week that attackers were exploiting an unpatched vulnerability in the wild. According to data from Cloudflare’s web application firewall (WAF) service, the attacks started almost two weeks ago.

The vulnerability, now tracked as CVE-2022-26134, is rated critical and allows unauthenticated attackers to gain remote code execution (RCE) on servers hosting the affected Confluence versions. The company urges customers to upgrade to the newly released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1, depending on which release they use.

Confluence OGNL injection vulnerability

The vulnerability is described as an Object-Graph Navigation Language (OGNL) injection, OGNL being an open-source expression language for getting and setting properties of Java objects. It offers a simpler way of achieving what can be done in Java itself and it is supported in many products.

In fact, OGNL injection is a class of vulnerabilities that has impacted other popular projects in the past. For example, the large 2017 Equifax data breach was caused by an unpatched OGNL injection vulnerability — CVE-2017-5638 — in the popular Apache Struts web application framework. By exploiting such flaws, attackers can trick applications into executing arbitrary code and commands, which was also the case now with this Confluence vulnerability.

Confluence attacks found in the wild

The first report about the vulnerability came on June 2 from security firm Volexity, which discovered it while investigating a security incident at a customer that involved a compromised Confluence Server accessible from the internet. “An initial review of one of the Confluence Server systems quickly identified that a JSP file had been written into a publicly accessible web directory,” the Volexity researchers wrote in a blog post. “The file was a well-known copy of the JSP variant of the China Chopper webshell. However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”

When analyzing a memory dump from the server, the researchers found evidence of the Confluence web application launching bash shells. These are command-line shells in Linux. First the Confluence process spawned a bash process, which then spawned a Python process which in turn spawned a bash shell. This was followed by deploying a publicly available memory-only implant called BEHINDER that has been used in the past on attacks against web servers. The downside of this implant is that it’s not persistent and will disappear if the server is restarted, which is why the attackers opted to write the China Chopper webshell to disk to have a secondary way of accessing and reinfecting the system.

Copyright © 2022 IDG Communications, Inc.

News Credit

%d bloggers like this: